[2023年04月10日] 365日無料更新PCNSE知能問題集をゲット [Q55-Q76]

[2023年04月10日] 365日無料更新PCNSE知能問題集をゲット

ベスト品質のPalo Alto Networks PCNSE試験問題

質問 55
If the firewall has the link monitoring configuration, what will cause a failover?

• A. ethernet1/3 and ethernet1/6 going down
• B. ethernet1/3 or Ethernet1/6 going down
• C. ethernet1/3 going down
• D. ethernet1/6 going down

正解: A

 

質問 56
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?

• A. A master device with Group Mapping configured must be set in the device group where the Security rules are configured
• B. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
• C. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
• D. A User-ID Certificate profile must be configured on Panorama

正解: D

 

質問 57
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

• A. To enable user authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable Gateway authentication to the Portal
• D. To enable client machine authentication to the Portal

正解: A

解説:
The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals

 

質問 58
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

• A. Panorama provides information about system resources of the managed devices in the Managed Devices
  > Health menu
• B. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall
• C. Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls
• D. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a system log and can send email alerts

正解: A

 

質問 59
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

• A. OCSP
• B. CRL
• C. CRT
• D. Cert-Validation-Profile
• E. SSL/TLS Service Profile

正解: A,B

解説:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificate-management/certificate-revocation.html#idaa3aa4f6-4791-4dbb-b834-58c22e208be8

 

質問 60
A user at an external system with the IP address 65.124 57 5 queries the DNS server at 4 2 2 2 for the IP address of the web server www xyz com The DNS server returns an address of 172 16 151 In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?

A)

B)

C)

D)

• A. Option
• B. Option
• C. Option
• D. Option

正解: C

 

質問 61
When using the predefined default antivirus profile, the policy will inspect for viruses on the decoders.
Match each decoder with its default action. Answer options may be used more than once or not at all. (select four)

• A. POP3, SMTP - Alert
• B. HTTP - Alert
• C. POP3, SMTP - Reset-both
• D. HTTP - Reset-both
• E. FTP, SMB - Alert
• F. FTP, SMB - Reset-both
• G. IMAP - Reset-both
• H. IMAP - Alert

正解: A,D,F,H

解説:
The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/antivirus-profiles

 

質問 62
Exhibit:

What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

• A. ethernet1/7
• B. ethernet1/6
• C. ethernet1/5
• D. ethernet1/3

正解: D

 

質問 63
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure

• A. PBP (Protocol Based Protection)
• B. PBP (Packet Buffer Protection)
• C. PGP (Packet Gateway Protocol)
• D. BGP (Border Gateway Protocol)

正解: B

解説:

 

質問 64
Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

• A. Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow
• B. Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow
• C. Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow
• D. Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow

正解: D

解説:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping

 

質問 65
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for "Threshold".
• B. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
• C. Automatically "download and install" but with the "disable new applications" option used.
• D. Disable automatic updates during weekdays.

正解: A

解説:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/set-up-antivirus- anti-spyware-and-vulnerability-protection.html#ide9a94a55-0498-4b2e-806b-6e95899510ac (Optional) Define a Threshold to indicate the minimum number of hours after an update becomes available before the firewall will download it.
For example, setting the Threshold to 10 means the firewall will not download an update until it is at least 10 hours old regardless of the schedule.

 

質問 66
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS software?

• A. PingID
• B. DUO
• C. Okta
• D. RADIUS

正解: D

解説:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication

 

質問 67
Which of the following are critical features of a Next Generation Firewall that provide Breach prevention? Choose two.

• A. Centralized or distributed log collectors
• B. Endpoint and server scanning for known malware
• C. Alarm generation of known threats traversing the device
• D. Application Visibility and URL Categorization
• E. Processing all traffic across all ports & protocols, in both directions

正解: D,E

 

質問 68
The certificate information displayed in the following image is for which type of certificate?
Exhibit:

• A. Self-Signed Root CA certificate
• B. Forward Trust certificate
• C. Web Server certificate
• D. Public CA signed certificate

正解: A

 

質問 69
SD-WAN is designed to support which two network topology types? (Choose two.)

• A. full-mesh
• B. ring
• C. point-to-point
• D. hub-and-spoke

正解: A,D

解説:
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-sd-wan/sd-wan-plugin-200/features-introduced-in-sd-wan-2-0.html
https://www.paloaltonetworks.nl/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/pan-os-secure-sd-wan-deployment-guide

 

質問 70
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

• A. Test Policy Match
• B. Preview Changes
• C. Policy Optimizer
• D. Managed Devices Health

正解: A

解説:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/test-policy-rule- traffic-matches.html

 

質問 71
A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

• A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
• B. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
• C. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the "Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
• D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

正解: B

 

質問 72
On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

• A. 1 Select Device > Certificates
  2 Select Certificate Profile
  3 Generate the certificate
  4 Select Block Private Key Export.
• B. 1 Select Device > Certificate Management > Certificates > Device > Certificates
  2 Generate the certificate
  3 Select Block Private Key Export
  4 Click Genet ale to generate the new certificate.
• C. 1 Select Device > Certificates
  2 Select Certificate Profile.
  3 Generate the certificate
  4 Select Block Private Key Export
• D. 1.Select Device > Certificate Management > Certificates >Devace > Certificates
  2. Import the certificate.
  3 Select Import Private Key
  4 Click Generate to generate the new certificate

正解: B

解説:
1 - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-keys.html
2 - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/block-private-key-export

 

質問 73
A remote administrator needs firewall access on an untrusted interface.
Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)

• A. client certificate
• B. server certificate
• C. certificate authority (CA) certificate
• D. certificate profile

正解: C,D

解説:
Explanation
Generate a certificate authority (CA) certificate on the firewall.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage- firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate- based-administrator-authentication-to-the-web-interface.html

 

質問 74
When overriding a template configuration locally on a firewall, what should you consider?

• A. Panorama will update the template with the overridden value
• B. Only Panorama can revert the override
• C. The firewall template will show that it is out of sync within Panorama
• D. Panorama will lose visibility into the overridden configuration

正解: D

 

質問 75
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

• A. OCSP
• B. CRL
• C. CRT
• D. Cert-Validation-Profile
• E. SSL/TLS Service Profile

正解: A,B

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-management/set- up-verification-for-certificate-revocation-status

 

質問 76
......

Palo Alto Networks試験練習テスト問題で高得点を目指そう：https://www.goshiken.com/Palo-Alto-Networks/PCNSE-mondaishu.html

検証された材料は決まってこれ！PCNSE：https://drive.google.com/open?id=1ce7TdI6ASs9iAHlLOOL5tpYv3XvfcHjw